Share this Page

Network Security: Stand & Deliver

By Matt Villano

09/26/06

It’s time to strengthen network defenses, but which solutions really work? Take your cues from these campus technologists, and take notes.

October is national Cyber Security Awareness Month (visit the National Cyber Security Alliance), and for the world of higher education, that means it’s high time to take a
look at defense systems and plan for the future.

Clearly, more planning is needed now than ever before. According to the majority of IT market research
firms, phishing and identity theft have leapfrogged spam and spyware as top concerns; viruses and e-mail
worms are at an all-time high; and other affronts to the network (such as distributed denial of service—
DDoS—and zombie, or “botnet,” attacks) are occurring with greater and greater frequency. Even hackers
are getting in on the act: A recent USA Today review of 109 computer-related security breaches reported
by 76 college campuses since January 2005 found that 70 percent involved hacking of one form or another.

Faced with this multitude of threats, security administrators across higher education are fighting back
on four major fronts: the perimeter, inside the network (internal), e-mail, and the administrative level.
While perimeter defenses revolve around next-generation firewalls, internal network strategies focus on
something called “cooperative enforcement” to make sure endpoints are secure. E-mail security is its own
beast altogether, and at the administrative level, security experts are implementing a mix of penetrationtesting
and security-event-management tools to identify and repair security problems proactively. These
are groundbreaking security strategies that work.

Fortifying the Perimeter

Talk about headaches. Security administrators at West Virginia University were reaching for the aspirin
just about every day last year, as the campus network was constantly under attack by unwanted and malicious
network traffic, including viruses and worms. Timothy Williams, WVU’s director of telecommunications
and network operations, remembers that at one point, his IT team incurred a significant drop
in staff productivity due to a required focus on cleaning computer systems of these infections. These technologists
needed serious help in fighting the threats they faced, but they didn’t want a solution that would compromise network performance.

Finally, the WVU team settled on three
perimeter devices from Fortinet. The devices, FortiGate
3600s, were positioned at the internet
gateway to scan all traffic coming into
and going out of the campus network.
Administrators programmed the tools to
flag all traffic with viruses, intrusions,
and other security threats. Because the
tools are powered by application-specific
integrated circuit (ASIC) microchips
specifically designed to perform security
checks, they were able to parse through
web traffic in no time. Williams says his
team reaped the benefits of this new
approach almost immediately.

“Since deploying the systems, we have
reduced the number of [threats],” he
says, noting that team members have
reduced the number of problem systems
from 48 per day, to no more than five.
Williams adds that the devices are also
saving the IT department “significant
time and money in support costs, and
allowing us to better focus our efforts on
academic pursuits.”

Since implementing NeoAccel’s SSL VPN-Plus, the
Contra Costa Community College District network
hasn’t experienced a single virus outbreak, says Ogden.

At George Washington University
(DC), technologists recently implemented
similar technology from Reconnex to ensure that certain
internet traffic complied with federal
privacy regulations laid out in the
Gramm-Leach-Bliley Act of 1999. This
tool, dubbed iGuard, sits on the network
perimeter and scans all outgoing web
traffic for sensitive files or data that could
violate the law. In particular, the tool
searches e-mails and Microsoft Office files for sensitive
information such as Social Security and
credit card numbers. If the device identifies
something that violates campus policy,
it blocks the message and notifies the
sender immediately.

As a result of safeguarding this private
information, Amy Hennings, assistant
director of information security, says
iGuard has become the school’s primary
defense against identity theft. Because it
was installed just this summer, however,
the solution is still too new for GWU to
determine how well it’s working. Eventually,
says Hennings, the tool will make the
network more secure by keeping private
information from passing over the network
perimeter. In the meantime, she
notes, campus skeptics have questioned
whether the school is invading the very
privacy it’s trying to protect. Her team
has worked hard to fight this perception.

“We want to make sure that everyone
knows we’re not interested in reading
their e-mails,” she says. “We just want to
make sure all of the e-mails satisfy compliance
requirements.”

Securing the Interior

Blocking certain traffic at the perimeter
is one thing; administering security
protocols inside the network is something
else entirely. At the University of California-Berkeley, officials in the
department of electrical engineering and
computer sciences recently piloted a network
access control (NAC) appliance
from FireEye to
determine which users could gain access
to certain portions of the campus network.
Network Manager Fred Archibald
says the FireEye 4200 tool mirrors network
traffic and quarantines any machine
it suspects to be a security threat, until
that device can prove it is safe.

Also in the San Francisco Bay Area,
in the Contra Costa Community College
District, technologists recently
have launched a different type of quarantine
effort, courtesy of a secure sockets
layer (SSL) virtual private network
(VPN) from NeoAccel. The product, dubbed SSL VPNPlus,
scans outside users as they log in to
the campus network through the VPN,
and disallows access to those machines
that do not carry all of the latest
antivirus and anti-spyware technology.
The system then pushes these tools onto
the users’ computers and forces them to
upgrade before granting access. According
to Katherine Ogden, network technology
manager, the process has made
the entire network safer.

Behind the DShield

LET’S SAY YOU’RE A NETWORK ADMINISTRATOR and your perimeter defenses have just been
breached. No doubt you’re unhappy about the situation, you’re wondering how it happened, and
you’re wishing you could see how many times the same thing has happened to other schools
across the country on the same day your own system was hit. Enter DShield.

DShield is a free open source service that provides a platform for users of firewalls to share
intrusion information. Officially launched in 2000, the site received substantial support from security
training pros The SANS Institute, and has become the data collection engine
behind the SANS Internet Storm Center.

The site provides a color-coded map of the world, with pie charts
for each continent, outlining the most commonly attacked ports and
the most frequent types of attacks on each port. The charts present
the information as a percentage of a whole. In this fashion, users can
see which parts of the world are experiencing the greatest number of
attacks at a given time.

In the academic environment, colleges and universities can implement
localized versions of DShield on their own campuses. At Virginia
Polytechnic Institute and State University, for instance, technologists gather attack data from
firewalls on campus and publish a similar map (here). Randy Marchany, director
of the school’s IT Security Lab, says the school is using this technology as an early warning system,
and notes that he relies on the system to see if certain sections of campus are being targeted,
and to see which of these sections is reflecting the most intense scan patterns.

“It’s sort of like looking at a weather map,” he says. “I know, for instance, that a front in St. Louis
will get here in two days, and that information can be really useful under the right circumstances.”

“We haven’t
had any kind of
virus outbreak
on our network
since we started
using it,” she
says, noting that the product has been
running for about a year. “Another benefit:
Our users appreciate being told that
they have these issues—issues that will
affect the security of their machines.”

IT officials at Colby-Sawyer College
(NH) are embracing similar strategies to
secure the inside of their network, but
because the college operates on a limited
budget, officials have turned to less
expensive technologies. In fact, Scott
Brown, information security analyst at
the 1,000-student school, says the
department recently put forth a concerted
effort to ditch all of its big-name
security vendors and embrace innovative,
off-the-beaten-path companies.The
effort replaced a
popular antivirus
product with software
called Nod32
from ESET; it also
involved a trio of new products from
PA-based developer/reseller Classic Networking.

The first of these products, Classic
Networking’s own Client Assessment
Tool (CAT), scans remote computers to
make sure they comply with all of the
school’s latest security policies. Next, a
tool called the ResNet Policy Manager from MSI Software provides the school with the ability
to register users and enforce the school’s
policy for Windows Updates, antivirus
and anti-spyware efforts, and more. Completing
Colby-Sawyer’s new triad is the
NitroGuard intrusion prevention system
(IPS) from NitroSecurity, which uses a correlation
engine to identify security threats within
the network and isolate anomalous network
activity before problems can occur.

“While we spent hours configuring our
system under the old approach, our new
solutions take care of almost everything
automatically,” says Brown. “That each
of these products can retrieve information
from the others is a great benefit.”

Protecting E-mail

Because so many security threats travel
via e-mail, one of the best ways to secure
a network is to make certain that e-mail is
safe. In the interest of simplifying management
and cost, many schools handle
this by opting for unified threat management
(UTM) appliances from vendors
such as Check Point Software Technologies and Internet Security Systems. These
tools combine anti-spam and antivirus
technologies with firewall, VPN, IPS,
and intrusion detection systems (IDS) to
provide an all-in-one solution. By and
large, they are worthwhile methods of
defending e-mail and a variety of other
network functions.

Other schools, however, opt for standalone
appliances to handle nothing but
e-mail. At Winthrop University (SC),
technologists recently installed a Razor-
Gate MailHurdle e-mail appliance from
Mirapoint to scan
for all sorts of viruses and spam. According
to Jim Hammond, associate VP of IT,
the device also enables administrators to
scan for “graylisted” e-mails, or e-mails
that may be of suspicious origin. Based
upon preset heuristics, if the tool suspects
a sender may be a spammer, it will
automatically send a “challenge” e-mail
that requires response before the message
is processed. Most spam systems
cannot respond to this request. “Legitimate
e-mail systems have automatic
retries written into them,” explains Hammond.
“Graylisting is a way to make sure
the sender is legitimate.”

We’ve taught our users to understand that when an
e-mail comes in with a red exclamation point that says
it’s not trusted, they ignore it or throw it away.
—Nick Davis, University of Wisconsin-Madison

There’s more than one way to guarantee
e-mail traffic is secure, and at the
University of Wisconsin-Madison, academic
technologists have tethered their
efforts to an encryption technology
known as public key infrastructure (PKI).
In general, PKI systems are run by a certificate
authority (CA) server that issues
digital certificates to authenticate the
identity of organizations and individuals
over the network. Nick Davis, the
school’s PKI administrator, says that at
UW, these certificates also are used to
sign messages digitally, a process that
proves and ensures system e-mail messages
have not been tampered with.

Wisconsin’s PKI infrastructure is a
hodgepodge of homegrown and vendor solutions. After building certain components
of the system themselves, the IT
department started issuing digital certificates
in September 2005 with the True
Credentials system from GeoTrust. Today, the certificates
are available to roughly 450 faculty and
staff users. While these users are not
required to use certificates, the school
has developed a policy that encourages
users to do so under certain circumstances.
Davis notes that those who send
mass e-mails, for instance, are asked to
sign the notes digitally as proof that the
blasts are not spam.

“We’ve taught our users to understand
that when an e-mail comes in with a red
exclamation point that says it’s not trusted,
they ignore it or throw it away,” he
says, adding that each user’s certificate is
good for one year, and that GeoTrust also
provides off-site certificate escrow to
keep track of which certificates go where.
“This takes trusted e-mail to a whole
new level,” says Davis.

Managing the Whole

The assumption with technologies such
as PKI is that nothing is safe unless
proven otherwise. Many schools, however,
take the opposite approach, assuming
that systems are safe unless they can find
a hole. The act of finding these weaknesses
usually revolves around processes
such as vulnerability management and
penetration testing. In both scenarios,
network administrators deploy security
tools to act like hackers and scour a network
for chinks in its armor. The open
source movement has led to the development
of a number of free tools for this
purpose (see “Behind the DShield,”and “Tools of the Trade”), but a
variety of vendors sell proprietary solutions
as well.

One of those for-profit solutions is
Core Impact from Core Security Technologies. At
the University of North Florida, technologists
recently deployed this tool to
automate the penetration testing methods
previously carried out by hand. In
the past, this process was essentially a
full-time job. Today, the Core Impact
device continuously pings servers and
firewalls on the network to discover
weaknesses. Jeff Durfee, assistant
director of information security, says
that when the new system discovers a
weakness, it alerts network administrators
and suggests patches to make the
defenses as good as new.

“Fixing problems still rests with us,”
says Durfee. “But knowing this product
is constantly testing our network to find
[problems] makes us feel more comfortable
with the defenses we have.”

Up Next

Many schools see tools such as vulnerability
assessment apps falling into a new
category of security solutions: security
event management (SEM) software.
Generally, this technology combines
vulnerability assessment with packet
monitoring, intrusion detection and prevention,
and a reporting engine to present
findings coherently. Still, like
penetration testing tools, SEM tools only
find problems; they don’t fix them. Yet,
when SEM software is working adequately,
it can centralize a number of
security features, making it easier for
network administrators to manage a variety
of functions.

Tools of the Trade

SECURITY WAS HOT on the minds of those who
attended the Campus Technology 2006 conference
in Boston this summer. During a panel about
fighting hackers, technologist Jane DelFavero,
assistant director of technology security services
at New York University, listed a number of free
tools that can be used to snuff out spots where
hackers may sneak into the campus network.

For more information on the importance of penetration
testing, click here.

Recent reports from Gartner indicate that it can cost up
to $400,000 to implement an off-theshelf
SEM system. At Boston College
(MA), however, technologists recently
took matters into their own hands,
developing their own system to manage
security events. The new product is built
in XML and Java. David Escalante,
director of computer policy and security,
says that while it isn’t perfect yet, it
has improved visibility of security
events across the network as a whole,
enabling IT administrators to be more
proactive about the enhancements they
choose to make.

“If you’re securing your network adequately,
you’ve got a bunch of machines
generating a ton of data almost every
hour,” Escalante says. “We’re just trying
to manage this information constructively,
and hope to figure out a way to make it
more useful than ever before.”

WEBEXTRA :: More on the perennial fight against viruses
and spam, click here.